CISPA amended to protect citizens, but does it go far enough?

While the thrust of the bill remains intact, an amendment filed Tuesday seeks to mitigate users’ concerns that the bill would allow federal agencies a nearly unfettered look at regular citizens’ private information stored online. The bill is up for a vote in the House Friday, and author and House Intelligence Committee (HIC) chairman Rep. Mike Rogers (R-Mich) is confident it has the votes to pass.

Make no mistake: the language that dramatically expands access to private information is still in the bill. But it’s trickier than that, an HIC staff member told the Daily Dot.

Since CISPA is designed to stop cyber threats—international ones in particular—its authors don’t want to rule out who it can look at when it knows of threatening activity. The reason is simple: it’s too easy for a hacker to fake where she’s coming from. Though the overwhelming majority of the threats CISPA seeks to address are foreign, “cyber attacks are often very difficult to attribute,” the staff member said.

With the identification parameters set in stone, the new amendment seeks to protect user data in the next best way it can: stymying any federal use of user data if it’s not explicitly a threat. Two clauses in particular seem tailored to privacy activists.

“No department or agency of the Federal Government shall retain or use information ... for any use other than a use permitted under subsection (c)(1),” reads one clause.

(c)(1) refers to the shortlist of user data that, if stumbled upon by the federal government, can be used against citizens. Its cases are only extreme: if a government agency finds evidence of petty crime, it’s prohibited from using that information in any way.

“[CISPA’s authors] don’t want this information to be used to go looking for tax cheats or something like that,” the HIC staff member said.

The list of user information that, if discovered via CISPA, can be used against citizens is five items long:

1. For “cybersecurity purposes”—a term defined at length elsewhere in the amendment.
2. To investigate or prosecute cybersecurity crimes.
3. When information indicates an individual is in danger of death or serious bodily harm
4. When information contains child pornography
5. When information threatens national security

The new and improved CISPA has instant critics, though. The Electronic Frontier Foundation released a statement already condemning the changes as cosmetic.

An “overall vagueness,” the EFF says, still permeates the bill. And many of CISPA’s proposed accountability measures remain unrealistic, the organization claims.

CISPA’s authors, for their part, are aware they still have critics.

Speaking about consulting with the digital rights activist group the Center For Democracy and Technology, Rep. Rogers said “while we’ve met some of their concerns, we have certainly not met them all.”

Congressmen, defense contractors, and ISPs argue that U.S. information systems are highly vulnerable, but Internet rights organizations are concerned that the powers granted by the bill to government, military, and private firms are far too broad and invasive.